The Machine Learning team uses Kserve, a Kubernetes ML stack that leverages webhooks to validate new/changed configs. The Kubernetes API needs to be able to call the HTTPs endpoint exposed by the webhook when needed, and hence it needs to trust the correct CA certificate to validate the webhook's TLS cert correctly.
We use cert-manager/cfssl-issuer to manage the webhook's certificate, using the PKI discovery intermediate. The main problem is that the CA cert is not inject as expected in the webhook's resources when needed.
In order to be able to inject the correct CA certificate, cert-manager (ca-injector) needs to read a ca.crt field in the K8s Secret created by the Certificate resource. After a chat with Janis, it seems that our cfssl-issuer plugin/implementation needs to call a specific cfssl api to gather the CA certificate.
We have forked (for the moment) cfssl and implemented https://github.com/cloudflare/cfssl/pull/1218, this use case is supported but the bundle flag needs to be true in the config to make everything working. Since this is not intuitive at first, we should also document it.